Monday, March 26, 2012

If you're running Microsoft Network Load Balancing (NLB) you may not know it but all the nodes in your cluster are responding to ICMP request. You wouldn't know this by pinging the cluster IP from a windows machine because the implementation of ping on windows ingores duplicated ICMP echo responses. If you ping the cluster IP from a linux machine or OS X machine you'll see that you're receiving duplicate ICMP echo responses. This isn't normally a big deal but if you're using third party monitoring, such as pingdom.com, they may report an error on their ping tests for your site.

So how does one stop all nodes in the NLB cluster from responding to ICMP? I didn't think you could until a co-worker of mind stumbled apon the following link. The link doesn't tell you how to change how the cluster responds to ICMP messages but it show's that there is an option to. There isn't much documentation that I could find on microsoft's site regarding this. The only other thing I could find is this.

Now that I knew you could change how the nodes in the NLB cluster responded to ICMP messages, I needed to figure how to change the behavor. Turns out it's actually just a simple registry setting.

To change it so that the NLB cluster will load balance ICMP traffic, all ICMP traffic will be filtered by the cluster and accepted by only a single host perform the following:

Change HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\WLBS\Parameters\Interface\{GUID}\FilterICMP from 0 to 1 on all the nodes in the cluster and then reboot all the nodes.

Where {GUID} is a GUID that refers to the network involved in the NLB cluster you're wanting to change the ICMP filtering functionality on.

Additionally, you can use Windows PowerShell to see if the node is configure to filter ICMP requests or not (make sure you're on a computer that has NLB installed and you open the "Windows PowerShell Modules" so that the NLB commandlets are loaded):

Tuesday, March 20, 2012

Below is a PowerShell script that will email password change reminders to users when their password is about to expire. It uses built in windows functionality and doesn't require any third party software. It's fully customizable with the ability to easily set email intervals.

The default email schedule will email users at 30 days, 15 days, 7 days, 5 days, 3 days, 2 days, 1 day and the day of password expiration. If the user changes their password they will stop receiving email notifications until it becomes time to change their password again.

The script will ignore disabled user accounts and accounts that have the password never expires attribute set. If the user has an associated email address in active directory it will send the reminder to that email address. If the user does not have an associated email address an email will be sent to the address specified by the $adminEmail variable. Thus allowing the admin to be proactive. The script will also email the $adminEmail if a user's account has expired. Again, so that the admin can be proactive. The $adminEmail will receive only one email summary to avoid inbox clutter. The summary will also show user's that are required to change their passwords but have not done so yet. There's usually a good reason they're not logging on. Usually these types of accounts were provision for an employee but that employee never started.

In a nutshell, if you're running the script on a domain controller you should be set. If you want to run it on a member server then execute the following PowerShell commands:

Import-Module ServerManager

Add-WindowsFeature RSAT-AD-PowerShell

You should create a scheduled task to run the script shortly after midnight each night. Before using it, be sure to set the five configuration variables in the Configurable Settings section at the top of the script.

Note: The script is just using the default domain password policy but if you're using the AD DS Fine-Grained Password Policies you should be able to modify the script fairly easily. You'll just have to invoke the Get-ADUserResultantPasswordPolicy commandlet while iterating through the user objects. Also note that all time is done with GMT and time zones are not taken into account. This shouldn't be an issue unless your enterprise spans the globe. If you're enterprise only spans a few contiguous time zones, have the script run at midnight in the time zone that's closest to GMT.

functionEmailAdmin($content)
{if([string]::IsNullOrEmpty($content)-and$alwaysSendAdminSummary){$content="There are no user's with expired passwords or users that need to change their password."}if([string]::IsNullOrEmpty($content)-ne$True){$smtp.Send($fromEmail,$adminEmail,"Password Expiration Summary",$content)}}

return"The password for account """+$user.samAccountName+""" will expire in "+$daysToExpire+" days at "+$pwdExpires+" and there is no associated email address to send a notification to"+[System.Environment]::NewLine+[System.Environment]::NewLine
}

if($user.pwdLastSet-eq0){return"The user account """+$user.samAccountName+""" is set to require a password change at next logon and the user has not yet changed it"+[System.Environment]::NewLine+[System.Environment]::NewLine}else{return"The password for user account """+$user.samAccountName+""" expired "+$daysToExpire+" days ago on "+$pwdExpires+[System.Environment]::NewLine+[System.Environment]::NewLine}
}

foreach($userin$users){#if account is enabled and password never expire flag does not exist, then process userif(($user.enabled-eq$True)-and(($user.userAccountControl-band$ADS_UF_DONT_EXPIRE_PASSWD)-eq0)){$pwdExpires=GetPasswordExpireDate$user$daysToExpire=GetDaysToExpire$pwdExpires

#if day falls on warning intervalif(IsInWarningIntervals$daysToExpire){#if mail attribute is not found in AD, add to admin emailif([string]::IsNullOrEmpty($user.mail)){$adminEmailContent+=AppendAdminEmailNoMail$user}#otherwise email userelse{EmailUser$user}}

#if days to expire is negative, password has expired. add to admin emailif($daysToExpire-lt0){$adminEmailContent+=AppendAdminEmailExpiredAccount$user}}
}

Monday, March 12, 2012

I'm relatively new to PowerShell, the following are PowerShell snippits that I wanted to keep around for my personal reference. It's short sample code if you will. I figured I'd post them so that I can always come back here to reference them. Maybe someone else can find them useful too. I can elaborate and expand on any of them in another posting if anyone would like.

Tuesday, February 21, 2012

I haven't gotten to play with the bundling and minification stuff included in ASP.NET 4.5, but the stuff looks pretty cool! If you haven't heard of it yet, I highly recommend watching the following video. It's well worth the your time. I'm just learning about it now. ScottGu blogged about it back in November. Microsoft nailed this one!

To summarize it, bundling and minification basically reduced the client/server round trips and it reduces the size of the payloads. Thus, resulting in much faster page load times and better resource utilization.